Jamo Posted July 28, 2011 Share Posted July 28, 2011 Hi, I was almost accidentally viewing my servers log ie. http://192.168.1.9/server-status?refresh=n Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request 0-0 1056 90/396/396 W 0.76 0 0 85.8 0.35 0.35 192.168.1.18 127.0.1.1 GET /server-status?refresh=n HTTP/1.1 1-0 1057 0/305/305 _ 0.58 2485 1 0.0 0.27 0.27 101.128.153.201 127.0.1.1 GET / HTTP/1.0 2-0 1058 0/307/307 _ 0.56 152 0 0.0 0.27 0.27 87.230.74.46 127.0.1.1 GET /din.aspx?s=00000000&id=0&client=DynGate&p=10000001 HTTP/1. 3-0 1059 0/306/306 _ 0.53 2486 0 0.0 0.27 0.27 50.57.93.243 127.0.1.1 HEAD /robots.txt HTTP/1.0 4-0 1060 0/305/305 _ 0.52 25 2 0.0 0.27 0.27 192.168.1.18 127.0.1.1 GET /server-status?refresh=n HTTP/1.1 5-0 1249 0/245/245 _ 0.46 424 1 0.0 0.21 0.21 74.125.152.80 127.0.1.1 GET /pictures/Webcam.JPG HTTP/1.1 I have dd-wrt router, and server is old dell laptop, which runs turnkey linux'es LAMB server. I have disabled some administrative features, and Im only running apache, and hosting phproxy. Only ports 80 and 443 are forwarded. nmap host-ip PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Quote Link to comment Share on other sites More sharing options...
digip Posted July 28, 2011 Share Posted July 28, 2011 (edited) Do you have HTTP return codes for the logs as well? Because it looks like some people are just attempting to connect and look for files that may or may not exist, and they might just be getting 404 not found if they files aren't there. Without return codes, can't really say what is happening, but might just be random searches by bots or people trying to scan a network for vulns. 74.125.152.80 is google, or googel-bot, so if it found this, it had a reason to look there, like a referrer from your own browser to another site running analytics. 50.57.93.243 is a cloud-ips.com server, more than likely someones own website and using it to scan other sites. Possibly even a custom web crawler hosted by cloud-ips. 87.230.74.46 is teamviewer, and if you were using it at the time, that is the server you or someone else was using to connect to your box or from your box to someone elses box. If you don't use Teamviewer, then I would be highly concerned that someone didn't slip in a portable version with hard coded password setup without your knowledge. The last one you listed, 101.128.153.201, is an address in Japan. If you don't know who it is, you can block it in .htaccess, but I think checking the security of your router, VM and host machine goes without saying. Personally, running a web server live to the internet, is a bit risky. If anything, either set up a VPN to access the web server, or htpasswd the entire thing, using a unique and secure username and password. This way, at most, people would be attempting to brute force their way into the webserver. VPN would probably be the best setup, and make it so you didn't even need phproxy to surf from your home machine, unless of course you had something specific you wanted to serve from the web-server to visitors or friends. edit: just thought of something else, but if using turnkeys lamb server(lamb or lamp?) does it have myphpadmin or such on it? If so, amke sure it is secured, and change the default passwords for it if it is already locked down. In fact, change all passwords on the VM, because a common mistake is to use a downloadable VM or ISO of a live machine, which has pre loaded passwords. I know the Linux/Wordpress VM I downloaded from Turnkey had preloaded passwords, for wordpress, webmin, phpmyadmin, etc, and I changed them all, as well as added an htpasswd file so no one can reach any of the services running on the machine. Edited July 28, 2011 by digip Quote Link to comment Share on other sites More sharing options...
Jamo Posted July 28, 2011 Author Share Posted July 28, 2011 (edited) Do you have HTTP return codes for the logs as well? Because it looks like some people are just attempting to connect and look for files that may or may not exist, and they might just be getting 404 not found if they files aren't there. Without return codes, can't really say what is happening, but might just be random searches by bots or people trying to scan a network for vulns. Where is that? 74.125.152.80 is google, or googel-bot, so if it found this, it had a reason to look there, like a referrer from your own browser to another site running analytics. 50.57.93.243 is a cloud-ips.com server, more than likely someones own website and using it to scan other sites. Possibly even a custom web crawler hosted by cloud-ips. 87.230.74.46 is teamviewer, and if you were using it at the time, that is the server you or someone else was using to connect to your box or from your box to someone elses box. If you don't use Teamviewer, then I would be highly concerned that someone didn't slip in a portable version with hard coded password setup without your knowledge. The last one you listed, 101.128.153.201, is an address in Japan. If you don't know who it is, you can block it in .htaccess, but I think checking the security of your router, VM and host machine goes without saying. Well I have now blocked those ips using IPtables iptables -A INPUT -s 68.45.116.1 -j DROP Is that enough, Iv done that on the server, not on the router. I havent never understood how to use .htaccess... I have teamviewer in my Desktop pc and in laptops, but not in that "server" Personally, running a web server live to the internet, is a bit risky. If anything, either set up a VPN to access the web server, or htpasswd the entire thing, using a unique and secure username and password. This way, at most, people would be attempting to brute force their way into the webserver. VPN would probably be the best setup, and make it so you didn't even need phproxy to surf from your home machine, unless of course you had something specific you wanted to serve from the web-server to visitors or friends. Yea, I know its risky, but I need a unkonown proxy with ssl so I can bypass access restictions. and to get a bit more secure connection from public pc's, like from school... Im also running pptp vpn. Its no the most secure, but it takes some effort to crack it so its enough for me. And it was easy to setup. edit: just thought of something else, but if using turnkeys lamb server(lamb or lamp?) does it have myphpadmin or such on it? If so, amke sure it is secured, and change the default passwords for it if it is already locked down. In fact, change all passwords on the VM, because a common mistake is to use a downloadable VM or ISO of a live machine, which has pre loaded passwords. I know the Linux/Wordpress VM I downloaded from Turnkey had preloaded passwords, for wordpress, webmin, phpmyadmin, etc, and I changed them all, as well as added an htpasswd file so no one can reach any of the services running on the machine. LAMP, I have changed passwords, I have removed phpmyadmin and such. Its a ISO which asked me to set passwords so no default passwords, like in BT5 VM im running root/toor and I have also renamed every folder in /var/www, which I dont currently need, root@lamp /var/www# ls [b]cgi-bin[/b]12312313245648912454684 css index.html index.php.bak js [b]phpinfo.php[/b].bak.oihjhusafasibsdjlbui proxy xyz[b]image[/b]sxytasdqwerty root@lamp /var/www# css and proxy are folders and index.html aint the apaches default page Not Found The requested URL was not found on this server. Edited July 28, 2011 by Jarmo Quote Link to comment Share on other sites More sharing options...
digip Posted July 28, 2011 Share Posted July 28, 2011 (edited) Usually in an access.log file, you get them in order, the users IP or DNS name, the time stamps, the url requests, then after the URL it says soemthign liek HTTP 200 or HTTP 404, 302, etc. Not sure if the stats you are using are something part of the VM but look in /var/logs or wherever the syslogs are and the apache logs folder. Should have a file called access.log and error.log which correlate to the apache traffic. Depends on the naming convention used though and if they have them turned on. Blocking individual IP's would be time consuming. You probably get more traffic than you realize, but better to password protect it all together, like an htpasswd file and htaccess setup. You can google on how to set them up. You might already have an .htaccess file on the server to begin with. Its a hidden file(denoted by the . prefixed) so you might not see it in an ls command unless you to ls -a, or view from a gui and have show hidden files on. edit:by the way, you can use something like http://www.tools.dynamicdrive.com/password/ to generate the codes to plug into htpasswd adn htaccess. Edited July 28, 2011 by digip Quote Link to comment Share on other sites More sharing options...
Jamo Posted July 28, 2011 Author Share Posted July 28, 2011 (edited) Thanks for the link, I just got it running manually, but that will make things even easier in future. well, now I think I have .htaccess set up correctly. thanks for the tip. At least now my hxxp://192.168.1.9/server-status?refresh=n seems better, just me connecting to it. Edited July 28, 2011 by Jarmo Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 29, 2011 Share Posted July 29, 2011 Generally I block all IP addresses that originates from the following countries Russia, China and Nigeria. Specifically China, they are very bad and can't tolerate them. You can use .htaccess as suggested by Digip to add the ip addresses individually or block them by a subnet range, this option would allow you to maintain a short blacklist of bad IP addresses, but the downside of this approach is of course, you could potentially block any legit user from visiting your site. That is if he/she falls under the same class or range of IP address contained in the .htaccess file. Blocking IP addresses can be an effective option to block bad IP addresses, but can be very hard to manage, once your black list starts getting longer. Quote Link to comment Share on other sites More sharing options...
Jamo Posted July 29, 2011 Author Share Posted July 29, 2011 0-0 9970 31/145/145 W 0.59 0 0 35.4 0.13 0.13 192.168.1.18 127.0.1.1 GET /server-status?refresh=n HTTP/1.1 1-0 9971 0/108/108 _ 0.36 38215 1 0.0 0.09 0.09 31.44.184.50 127.0.1.1 GET http://allrequestsallowed.com/?PHPSESSID=5gh6ncjh00043YZMWW 2-0 9972 0/203/203 _ 0.69 2352 4 0.0 0.18 0.18 192.168.1.18 127.0.1.1 GET /server-status?refresh=n HTTP/1.1 3-0 9973 0/106/106 _ 0.37 40034 3 0.0 0.10 0.10 (me from othrer addreass...) 127.0.1.1 GET /proxy/javascript.js HTTP/1.1 4-0 9974 0/76/76 _ 0.26 173 2 0.0 0.07 0.07 192.168.1.18 127.0.1.1 GET /favicon.ico HTTP/1.1 5-0 10059 0/106/106 _ 0.36 2153 0 0.0 0.10 0.10 88.199.11.66 127.0.1.1 GET /phpMyAdmin/config/config.inc.php?eval=echo%20md5(123); HTT 6-0 10060 0/109/109 _ 0.43 173 3 0.0 0.10 0.10 195.236.48.161 127.0.1.1 GET / HTTP/1.1 7-0 10075 0/206/206 _ 0.70 2154 0 0.0 0.18 0.18 88.199.11.66 127.0.1.1 GET /phpmyadmin/config/config.inc.php?eval=echo%20md5(123); HTT 8-0 10568 0/102/102 _ 0.35 40041 2 0.0 0.09 0.09 195.236.48.161 127.0.1.1 GET /favicon.ico HTTP/1.1 It seems that .htaccess didnt do the trick. For some reason I cant remove phpmyadmin, well I just renamed phpmyadmin file to something random. Quote Link to comment Share on other sites More sharing options...
digip Posted July 29, 2011 Share Posted July 29, 2011 (edited) This is why you need to change yoru rules in htaccess and use an htpasswd file as well, so only you can access the server. The htaccess and htpasswd files need to be in the root most directory, so the rules apply to everything further down the tree. (ie: /var/www/ or /var/www/html depending on how your apache is configured). Start with using a block list if you want - #example htaccess blocklist IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Files .htaccess> order allow,deny deny from all </Files> <Limit GET HEAD PUT POST OPTIONS> Options -Indexes order deny,allow deny from 91.201.66.0/24 #example-subnet-to-block </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> RedirectMatch temp ^/phpMyAdmin/$ / RedirectMatch temp ^/phpmyadmin/$ / Or alternatively, only allow certain IP addresses to reach it, denying EVERYONE except who you whitelist. This can be problematic, if you are somewhere that you IP changes and you block yourself, but if you can sftp in or ssh in and edit the rules to add your own IP then not an issue, and something I keep putty on a keychain for, so I can remote in and add myself to things like my wordpress htaccess file for when I need to edit the blog - #example htaccess whitelist IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Files .htaccess> order allow,deny deny from all </Files> <Limit GET HEAD PUT POST OPTIONS> Options -Indexes #deny from all, only allow whitelist addresses order deny,allow deny from all allow from 127.0.0.1 #change 127.0.0.1 to the ip or subnet you want to allow </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> RedirectMatch temp ^/phpMyAdmin/$ / RedirectMatch temp ^/phpmyadmin/$ / Edited July 29, 2011 by digip Quote Link to comment Share on other sites More sharing options...
Jamo Posted July 29, 2011 Author Share Posted July 29, 2011 (edited) This is why you need to change yoru rules in htaccess and use an htpasswd file as well, so only you can access the server. The htaccess and htpasswd files need to be in the root most directory, so the rules apply to everything further down the tree. (ie: /var/www/ or /var/www/html depending on how your apache is configured). Start with using a block list if you want - #example htaccess blocklist IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Files .htaccess> order allow,deny deny from all </Files> <Limit GET HEAD PUT POST OPTIONS> Options -Indexes order deny,allow deny from 91.201.66.0/24 #example-subnet-to-block </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> RedirectMatch temp ^/phpMyAdmin/$ / RedirectMatch temp ^/phpmyadmin/$ / Well I prefer not to use whitelist, blocklisting seems to be easier in my case. So should that be included in .htaccess? now my .htaccess looks like this AuthName "Restricted Area" AuthType Basic AuthUserFile /etc/apache2/htaccess/.htpasswd AuthGroupFile /dev/null require valid-user My server root it /var/www and proxy is in /var/www/proxy Edited July 29, 2011 by Jarmo Quote Link to comment Share on other sites More sharing options...
digip Posted July 29, 2011 Share Posted July 29, 2011 Just be sure your htpasswd file is in the path htaccess is pointing to. For obvious reasons, don't post the contents of htpasswd, but test it out by putting a copy of htaccess in /var/www with the code you posted here. It should prompt for a password when trying to access it now, both at the /www stuff and for the proxy url. If it doesn't, you have something pointing to the wrong places. With a passworded setup, you can still add the block list if wanted, but should be safer now, as no one can access it without brute forcing their way in past the password prompt(not that it couldn't be done, but I hope you chose a long, unique user name and password for the prompt). Quote Link to comment Share on other sites More sharing options...
Jamo Posted July 30, 2011 Author Share Posted July 30, 2011 Yea, that password setup works well. So if I also want to have a block list, should it be also in .htaccess? If I add that code you posted and is below server just says internal server error. #example htaccess blocklist IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Files .htaccess> order allow,deny deny from all </Files> <Limit GET HEAD PUT POST OPTIONS> Options -Indexes order deny,allow deny from 91.201.66.0/24 #example-subnet-to-block </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> RedirectMatch temp ^/phpMyAdmin/$ / RedirectMatch temp ^/phpmyadmin/$ / Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 30, 2011 Share Posted July 30, 2011 (edited) Look at the error log files it should give you more clues as to why the server is getting internal error. Edited July 30, 2011 by Infiltrator Quote Link to comment Share on other sites More sharing options...
digip Posted July 30, 2011 Share Posted July 30, 2011 (edited) Add individual sections 1 at a time, but I have a suspicion it doesn't like the last part of RedirectMatch temp ^/phpMyAdmin/$ / RedirectMatch temp ^/phpmyadmin/$ / and might need RedirectMatch temp ^/phpMyAdmin/$ /var/www/ RedirectMatch temp ^/phpmyadmin/$ /var/www/ If you could check the logs though and post the error, might shed some light on the issue, but something in the syntax is probably wrong, or even not supported by your version of apache setup. mod_rewrite needs to be enabled for all of that to work though, something I would think would be turned on already, but might not be and could be causing the issue. Chekc the APACHE_MODULES configuration and make sure rewrite is listed. To be sure, create a php file with <?php phpinfo(); ?> in it and then open that page on the web server. Search for rewrite and see if its installed or enabled. By the way, the parts beginning with # signs, are comments. You can remove them the # and everything after it on the same line. Edited July 30, 2011 by digip Quote Link to comment Share on other sites More sharing options...
Jamo Posted July 30, 2011 Author Share Posted July 30, 2011 .htaccess IndexIgnore .htaccess #*/.??* *~ *# */HEADER* */README* */_vti* <Files .htaccess> order allow,deny allow from 192.168.1.0/24 deny from all </Files> AuthName "Restricted Area" AuthType Basic AuthUserFile /etc/apache2/htaccess/.htpasswd AuthGroupFile /dev/null require valid-user And error for that below. [Sat Jul 30 14:55:41 2011] [alert] [client 192.168.1.100] /var/www/.htaccess: IndexIgnore not allowed here [Sat Jul 30 14:55:44 2011] [alert] [client 192.168.1.18] /var/www/.htaccess: IndexIgnore not allowed here, referer: http://192.168.1.9/server-status?refresh=y [Sat Jul 30 14:55:45 2011] [alert] [client 192.168.1.18] /var/www/.htaccess: IndexIgnore not allowed here ################################################################################################## 2nd.htaccess <Limit GET HEAD PUT POST OPTIONS> Options -Indexes order deny,allow deny from 91.201.66.0/24 #example-subnet-to-block </Limit> AuthName "Restricted Area" AuthType Basic AuthUserFile /etc/apache2/htaccess/.htpasswd AuthGroupFile /dev/null require valid-user And 2nd error [Sat Jul 30 14:59:06 2011] [alert] [client 192.168.1.100] /var/www/.htaccess: Options not allowed here Quote Link to comment Share on other sites More sharing options...
Jamo Posted July 30, 2011 Author Share Posted July 30, 2011 I got it working, I had to enable mod_rewrite, and edit my httpd.conf, ... AllowOverride All FileInfo Limit Options Indexes ... Where I can easily get those Ip addresses that I should block using .htaccess Quote Link to comment Share on other sites More sharing options...
digip Posted July 31, 2011 Share Posted July 31, 2011 Something like http://www.countryipblocks.net/country-blocks/htaccess-deny-format/ would work, but you have to manually add them in the correct syntax between the deny limit area. Use my examples above for the blocklist code, just add a list from their site. You can potentially block wrong places too, but for the most part, you shouldn't have to worry about anything with the htpasswd setup you are using now. If its local addresses, you need to look at the access.log and error.log. Also, they might not be enabled in the conf, so check to see how many days are kept at a time, if it rotates them, or just continually appends, cause it can fill up the server eventually. Generally, I keep 30 days, then delete anything older than 30 days, so it just rotates continually. I've never had to set that up manually, I do it all through my hosts control panel, but shouldn't be hard to google. Quote Link to comment Share on other sites More sharing options...
Jamo Posted August 2, 2011 Author Share Posted August 2, 2011 Well I'v been trying to get country based blocking to work, but suddenly I blocked whole access from lan, my IP's are in 192.168.1.1-192.168.1.255 range. Would this 192.168.0.0/16 include that area. BTW any good places where I could learn more about those IP areas /16 /21 /24 etc., what they mean etc. Also I managed to block those IP's this is especially for, IP's like this: 46.30.132.129 Would it be included in one of following IP areas? ### Country: BOGONS #LAN #000 deny from 192.168.0.0/16 ### Country: CZECH REPUBLIC #000 deny from 46.30.64.0/21 #000 deny from 46.30.88.0/21 #000 deny from 46.30.144.0/21 #000 deny from 46.30.232.0/21 ### Country: IRAQ #000 deny from 46.30.224.0/21 ### Country: ITALY #000 deny from 46.30.168.0/21 #000 deny from 46.30.216.0/21 #000 deny from 46.30.248.0/21 ### Country: NETHERLANDS #000 deny from 46.30.184.0/21 ### Country: RUSSIAN FEDERATION #000 deny from 46.30.32.0/21 #000 deny from 46.30.40.0/21 #000 deny from 46.30.152.0/21 ### Country: SPAIN #000 deny from 46.30.16.0/21 #000 deny from 46.30.104.0/21 ### Country: TURKEY ### Country: UKRAINE #000 deny from 46.30.160.0/21 ### Country: UNITED KINGDOM #000 deny from 46.30.8.0/21 #000 deny from 46.30.48.0/21 #000 deny from 46.30.96.0/21 #000 deny from 46.30.136.0/21 #000 deny from 46.30.192.0/21 Quote Link to comment Share on other sites More sharing options...
digip Posted August 2, 2011 Share Posted August 2, 2011 (edited) 192.168.0.0/16 would block anything starting with 192.168.x.x, and you most definitely would be blocking your own lan. Thats a private lan only subnet, and not something you need to be concerned with from the internet. Like I said before, its easier to use a whitelist, vs a blacklist. This way, only addresses or subnets you allow can reach the login prompt. Edited August 2, 2011 by digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.